# Automaker Docker Compose
# Runs Automaker in complete isolation from your host filesystem.
# The container cannot access any files on your laptop - only Docker-managed volumes.
#
# Usage:
#   docker-compose up -d
#   Then open http://localhost:3007
#
# See docs/docker-isolation.md for full documentation.

services:
  # Frontend UI
  ui:
    build:
      context: .
      dockerfile: Dockerfile
      target: ui
    container_name: automaker-ui
    restart: unless-stopped
    ports:
      - '3007:80'
    depends_on:
      - server

  # Backend API Server
  server:
    build:
      context: .
      dockerfile: Dockerfile
      target: server
    container_name: automaker-server
    restart: unless-stopped
    ports:
      - '3008:3008'
    environment:
      # Required
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}

      # Optional - Claude CLI OAuth credentials (for macOS users)
      # Extract with: ./scripts/get-claude-token.sh
      # This writes the OAuth tokens to ~/.claude/.credentials.json in the container
      - CLAUDE_OAUTH_CREDENTIALS=${CLAUDE_OAUTH_CREDENTIALS:-}

      # Optional - Cursor CLI OAuth token (extract from host with the command shown below)
      # macOS: ./scripts/get-cursor-token.sh (extracts from Keychain)
      # Linux: jq -r '.accessToken' ~/.config/cursor/auth.json
      # Note: cursor-agent stores its OAuth tokens separately from Cursor IDE
      - CURSOR_AUTH_TOKEN=${CURSOR_AUTH_TOKEN:-}

      # Optional - authentication, one will generate if left blank
      - AUTOMAKER_API_KEY=${AUTOMAKER_API_KEY:-}

      # Optional - restrict to specific directory within container only
      # Projects and files can only be created/accessed within this directory
      # Paths are INSIDE the container, not on your host
      # Default: /projects
      - ALLOWED_ROOT_DIRECTORY=${ALLOWED_ROOT_DIRECTORY:-/projects}

      # Optional - data directory for sessions, settings, etc. (container-only)
      - DATA_DIR=/data

      # Optional - CORS origin (default allows all)
      - CORS_ORIGIN=${CORS_ORIGIN:-http://localhost:3007}

      # Internal - indicates the API is running in a containerized sandbox environment
      # This is used by the UI to determine if sandbox risk warnings should be shown
      - IS_CONTAINERIZED=true
    volumes:
      # ONLY named volumes - these are isolated from your host filesystem
      # This volume persists data between restarts but is container-managed
      - automaker-data:/data

      # Persist Claude CLI OAuth session keys across container restarts
      # This allows 'claude login' authentication to persist between restarts
      - automaker-claude-config:/home/automaker/.claude

      # Persist Cursor CLI configuration and authentication across container restarts
      # This allows 'cursor-agent login' authentication to persist between restarts
      - automaker-cursor-config:/home/automaker/.cursor

      # NO host directory mounts - container cannot access your laptop files
      # If you need to work on a project, create it INSIDE the container
      # or use a separate docker-compose override file

    # Security: Server runs as non-root user (already set in Dockerfile)
    # Security: No privileged mode
    # Security: No host network access
    # Security: No host filesystem mounts

volumes:
  automaker-data:
    name: automaker-data
    # Named volume - completely isolated from host filesystem

  automaker-claude-config:
    name: automaker-claude-config
    # Named volume for Claude CLI OAuth session keys and configuration
    # Persists authentication across container restarts

  automaker-cursor-config:
    name: automaker-cursor-config
    # Named volume for Cursor CLI configuration and authentication
    # Persists cursor-agent login authentication across container restarts